Bupa: Rogue staffer stole health insurance holders' personal deets

Names, phone numbers, emails released into the wild

Healthcare firm Bupa suffered a data breach when an employee of its international health insurance division inappropriately copied and removed some customer information.

People who have taken out international health insurance with the company were notified on Wednesday that the data taken includes "names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers". Medical data, healthcare histories or financial information was not among the compromised information. Phone numbers and email addresses were exposed but not physical addresses.

Around 108,000 international health insurance policies are affected and all policy holders are being notified1.

In its breach notification statement, Bupa global managing director Sheldon Kenton said the breach was a "not a result of cyber attack or external data breach, but a deliberate act by an employee". He apologised and promised that Bupa was in the process of introducing additional security controls and customer identity checks. Bupa has informed the Financial Conduct Authority and other UK regulators.

A Bupa spokeswoman told El Reg that the "employee responsible has been dismissed and we are taking appropriate legal action" adding in a follow-up phone call that the matter had become the subject of a police investigation. "An employee who had access to this information as part of their job inappropriately copied and removed some customer information from the company," she said.

Data privacy watchdogs at the Information Commissioner's Office confirmed they were looking into the incident. It is all rather unfortunate but Bupa ought to be credited with handling the breach notification and (by the looks of it) incident response process promptly and professionally.

Security measures such as data loss protection are designed to prevent data from being leaked or stolen. If they were in play, and properly configured, they ought to have stopped a rogue staffer from uploading sensitive information to the net or emailing it out. USB ports arguably ought to be disabled at a health insurance provider but that still leaves the possibility of more stealthy data extraction methods. DLP tech is thus far limited to prevent accidental data leaks and unimaginative data thieves only.

Mark James, security specialist at infosec firm ESET, warned that the breach exposes Bupa customers to the risk of more convincing phishing scams that might be crafted using the leaked data.

Marco Cova, senior security researcher at cybersecurity firm Lastline, added: "Unfortunately, the data revealed from this breach is the type that criminals can use to launch additional attacks. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. The information that they gather does not have to be highly confidential in order to create successful attacks. Data breaches provide a distribution hub for malware for years to come." ?

1Bupa Global has 1.4 million international health insurance customers. The breach does not affect its local (domestic) insurance customers, only international health insurance holders.